controller regulates fuel injection to minimize the oscil- lations while decelerating. The engine and its controller are modeled with hybrid automata and the sliding ...
Proceedings on the 37th IEEE Conference on Decision & Control • Tampa, Florida USA • December 1998
Formal Verification of an Automotive Cutoff Mode Tiziano Villa! Alberto
L. Sangiovanni-Vincentelli~*
Abstract We describe formal verification of convergence and performance properties of an engine control algorithm being developed for Magneti-Marelli. We study the cutoff mode, where the driver releases the accelerator and the controller regulates fuel injection to minimize the oscillations while decelerating. The engine and its controller are modeled with hybrid automata and the sliding action of the hybrid controller is formally verified with the model checker HYTECH. 1 Introduction 1.1 Verification of embedded systems Embedded systems are informally defined as a collection of programmable parts surrounded by ASICS and other standard components that interact contirmously with an environment through sensors and actuators. Embedded systems often are used in life-critical situations, where reliability and safety are more important criteria than performance. The closed-loop system—which involves a discrete controller and its analog environment—has behaviors that are inherently hybrid, i.e., both discrete and continuous in nature. Therefore the correctness of such systems cannot be established without consideration of the analog realworld environment in which it operates. Prototyping is viable for simple embedded systems, but typically too expensive for complex ones. Hybrid system simulation, provided by such tools as Matlab and Xmath, is more feasible. However, while simulation runs can provide great insight into the behavior of the closed-loop system, as with all simulation methods, one is often left wondering if sufficient corner cases have been considered. Therefore, formally verifying high-level designs of hybrid systems appears to be very desirable for safetycritical systems [1]. Given a mathematical model of a system, one uses automated methods to prove rigor$ pARADES, V,a di S. Pantaleo 66, 00186 Roma, Italy. {villa, alberto}@parades. rm. cnr. it balluchi, t Cadence Berkeley Labs, 2001 Addison St., Third Floor, Berkeley, CA 94704, USA. howa.rd~cadence. com of Dortmund, Dortmund, f Dept. of Chemical Eng., Univ. Germany, Joerg .PraussigOast. .hemietechnik .uni-dortmund. de. SuPported by DFG Kondisk-Projekt Ko 1430/3. ~ Dept. of Electrical Eng. and Computer Sciences, Univ. of California, Berkeley, CA 94720, USA. alberto@eecs .berkeley. edu $ cadence European Labs, Via di S. Pantaleo 66, 00186 Roma, Italy. wata.naba@cadence. com
0-7803-4394-8/98 $10.00 (c) 1998 IEEE
Engine Controller in
Andrea Balluchi~
Howard Wong-Toit
FP01-2 14:50
Jorg Preufiigfl
Yosinori Watanabef
ously that its real-time requirements are met. Rather than simulating over some- fraction of the possible inputs, all legal input sequences are considered. Our verification methodology consists of the following steps: (1) Identify the concurrent components in the system. (2) Model each component as a hybrid automaton, essentially a finite labeled transition system augmented with real-valued variables subject to differential inclusions. (3) Conservatively approximate every nonlinear hybrid automaton by a linear hybrid automaton [5]. Intuitively, this subclass requires the continuous dynamics to obey constant polyhedral differential inclusions (the flow conditions cannot depend on x and so dynamics of the form 2 = x are prohibited). (4) Analyze the collection of linear hybrid automata with the model-checking tool HYTECH which uses automated semi-decision procedures [6]. The application of this methodology to industrial deThe state of the art sign is not an easy task. of industrial-strength formal verification techniques is limited to equivalence checking. Strong results are available for property checking on discrete systems but hybrid-system formal verification is still in its infancy. In this paper, we apply our methodology to a real-world complex embedded system design: a control strategy for a region of operation of a combustion engine [2, 3]. The controller was designed in response to a problem proposed by Magneti-Marelli, a major automotive electronics company. We formally verify convergence and performance requirements of the controller. A modified version of the controller presented here will be in production in vehicles this year. 1.2 Cutoff control problem We consider control of the engine once the driver has released the accelerator pedal, thereby expressing a desire to have zero torque delivered by the engine. The control objective is to reach injection cutoff while minimizing acceleration oscillations, as these lead to passenger discomfort. However, if fuel injection is abruptly cut off, the vehicle may exhibit very undesirable acceleration oscillations. In order to minimize these oscillations, the controller makes intelligent decisions about when and how to cut off fuel injection. We consider the original Magneti-Marelli specification of the car [2]. A revised model and an improved controller appear in [3]. The system consists of the engine, which includes the driveline and the cylinders, and its
4271
Proceedings on the 37th IEEE Conference on Decision & Control • Tampa, Florida USA • December 1998
DRIVELINE State variables: (1, (2, (3, (4, @
Figure
1: System of engine and controller.
controller, connected as shown in Figure 1. The car’s driveline is described by a fifth-order linear system
[H = ‘[$l+’U
(1)
where ( = [
